Website Security Solutions | Latest Guides | Blog

Encrypting files with GPG using GPG4WIN

Usually we focus on SSL/TLS and its role in encryption in-transit. However, equally worth understanding is encryption at-rest. While encryption in-transit (also called in-flight) focuses on secure transmission via an insecure channel, both the sending and receiving endpoint have access to the information in the clear. In contrast, encryption at-rest encrypts data sitting on a hard drive. This… [read more →]

M of N Setup with NitroKey HSM

This is perhaps one of the most abstract uses of an HSM, so let’s start with a real-world scenario. Your IT department recently read the last article in this series and wants to setup an offline root CA whose private key is stored on the Nitrokey HSM. Just like any hardware, the NitroKey has the potential to be a single-point-of-failure. Nitrokey’s backup model allows for backups to be taken tha… [read more →]

Create an Internal PKI using OpenSSL and NitroKey HSM

In our last article, we have covered getting started with the NitroKey HSM. Today we will go through the process of setting up an entire internal PKI backed by the security guarantee the HSM provides. First, we will generate a root CA with a private key living on the HSM’s hardware. Then, we will generate an Intermediate CA, whose private key will live secured by file system permissions in Linux. T… [read more →]

NitroKey HSM introduction, setup and use case overview

SSL/TLS relies on a public/private keypair in order to keep data secure in transit. If a private key is no longer private, the communication is no longer secure. For most organisations, simply making sure to generate private keys on the server where they will be used is reasonably secure. It is a much more difficult and expensive proposition to protect against even the server itself being… [read more →]

Forcing older .Net applications to use strong cryptography

Microsoft’s .NET framework is a collection of tools and libraries accessible from various “.NET Programming Languages” used by developers to build applications on the Windows Platform. ASP.NET, which runs natively on IIS (Microsoft’s web server bundled with Windows Server), Visual Basic .NET, C# .NET and Windows Powershell are all examples of languages which can natively take advantage of the abstrac… [read more →]

What to do when you take control/inherit a Secure Network Environment.

There are a lot of reasons why you might inherit a network. Maybe the person who handled SSL/TLS left abruptly, or perhaps you’re doing a favor for a friend. Whatever the reason, it can be overwhelming to get a handle on the sorts of care and feeding a computer system requires from an SSL/TLS standpoint. This is understandable. It’s a lot of responsibility to ensure that a system keeps running wit… [read more →]

How to use Wireshark to Troubleshoot SSL/TLS App Network issues

Wireshark is an extremely powerful tool for analyzing the conversations your computer is having over the network. When an application’s logs come up empty, Wireshark is often the best way to figure out what’s going with software. When troubleshooting issues with SSL/TLS, Wireshark is invaluable. Have you ever gotten an error message complaining about secure negotiation? Most Sysadmins have. Where is … [read more →]

Setup Varnish with Nginx and SSL

Two of the most important considerations for any website owner are security and speed. Historically, these goals have been ever at odds. One of the most effective techniques for insuring a consistent experience for end users is a caching layer. Varnish, the most well-known, does not natively support SSL/TLS. Luckily, by combining Varnish with a reverse proxy like nginx, we can take advantage of… [read more →]

Setup HAProxy 2 with KeepAliveD and Layer 7 Retries

HAProxy is an extremely powerful free and open-source load balancing solution. With it, you can insure high availability within your datacenter. Highly available systems are better for business continuity and better for security, as they can be patched with updates without taking the service down. A common pattern in the design of highly available systems is to use a pair of load balancers in… [read more →]

The Complete and Easy Guide to TLS1.3

Transport Layer Security (TLS) provides the foundation for encryption in-flight. The first version of TLS, 1.0, replaced Secure Sockets Layer (SSL) in 1999. The latest version, 1.3, was finalized as a proposed standard in RFC 8446 in December of 2018. With it, comes enhancements in both speed and security. One of the biggest differences between TLS 1.2 and TLS 1.3 is that perfect forward secrecy… [read more →]